Microsoft warns of new vulnerabilities

The software giant issues a patch that fixes four separate vulnerabilities in its IIS software and alerts customers of a flaw in Windows Media Services.

May 29, 20034:38 AM PDT

Microsoft on Wednesday issued a pair of security alerts addressing potential flaws that could make its software vulnerable to attackers.

The higher-rated of the two bulletins includes a patch that fixes four separate vulnerabilities in Microsoft's Internet Information Services (IIS) software. That alert, rated "important," addresses vulnerabilities that could make servers running the software vulnerable to a denial-of-service attack.

"We definitely want everyone who is running IIS 4.0, 5.0 and 5.1 to install the patch," said Microsoft program manager Stephen Toulouse. However, IIS 6 and Microsoft Windows Server 2003 are not affected by the flaws, he added.

A second bulletin, rated "moderate," addresses a vulnerability in Windows Media Services that, if exploited, could result in a denial-of-service attack. The bulletins are Microsoft's 18th and 19th security warnings of the year.

Of the four issues addressed in the combination patch, the most serious vulnerability is one in the WebDav service that IIS uses for authoring. If exploited, the flaw could cause a server running IIS to stop responding to requests. That vulnerability exists in versions 5.0 and 5.1 of IIS, but not in version 4.0.

Two other flaws addressed by the combination patch are rated as moderate. One could lead to a denial of service, while another could allow malicious code to be run through what is known as a "buffer overrun." However, to be exploited, both vulnerabilities require an attacker to first upload a specific page to a Web page.

As for Microsoft's second bulletin, which addresses Windows Media Services, a flaw in one of the files associated with that software could allow someone to cause an IIS server to stop responding.

Microsoft has taken a number of steps in recent months to try to convince more information technology managers to install its security patches. The company has set up separate e-mail alert systems for corporate IT managers and for consumers as well as a toll-free number, should customers encounter problems with any of Microsoft's patches.

Toulouse said that while Microsoft tries to work quickly to address problems, it spends as much time as possible testing its fixes to make sure new flaws are not introduced.

"We aren't satisfied until everyone has the patch installed," he said. "We've done a variety of things to try and communicate as broadly as we can to our customers that they need to install these updates."

In addition to the two new bulletins, Microsoft updated two existing alerts, issuing a new patch for one vulnerability and updating an existing patch for a different flaw. On Tuesday, the company withdrew a security update for Windows XP, saying that it switched off Internet connections for some of those who had downloaded the patch.